Physical Security and Facilities Management 101

David M. DiQuinzio, P.E. Kathleen A. Lucey, FBCI Strategic Facilities, Inc. Montague Technology Management, Inc.

Session Agenda
Kathleen:
Introduction and ground rules Physical Access Security Incident Management Introduction to SFI

David:
Reliability vs. Availability The Players Risk Assessment Case Studies

Questions & Discussion

2

GROUND RULES
Please interrupt immediately if you... Cant hear Cant see or read the slides Find the presentation confusing Lets address the situation ASAP!

Introduction
Its about working together to avoid the interruption and minimize both its recurrence and its impact... Who are the players...and how do we work together ? Making the right decisions for design, detection, and response Managing the incident to minimize impact and deter recurrence.

Where are MOST of the Continuity Challenges ??

CONTINUITY ISSUES
Catastrophic Interruptions

BCARE SOLUTIONS
Continuity Availability Reliability
Engineering

Minor Interruptions Everyday Blips

Process Dysfunctions

Physical Access Security

Establishing Perimeters Implementing and Maintaining a System, Equipment, Procedures Defensive Depth, Universal Application Monitoring / Detection / Response Common Intrusion Techniques
6

What is a Perimeter?
Controlled border
External: Public / First Level. May be outside of building. Second: Building Access. May include elevators and stairways. Multiple interior: authorization related to function-based need to know

Systems, Equipment, Procedures

System components: hardware, software, devices, data, personnel (operators and staff) Equipment: readers, tokens, cameras and video recorders, screen monitors, barriers (turnstiles, man-traps) Procedures: operator, equipment maintenance, log review, token issuance, authorization maintenance. System upgrading. Guards.

Defensive Depth
Multiple barriers to breach: make an intruder work harder Multiple levels, multiple techniques Multiple levels of monitoring and detection Introduce random supplemental checks

Universal Application
Every time Every person Every control point Weekdays, nights and weekends Especially no official piggybacking Why: keeps the bright line between authorized and unauthorized
10

Monitoring/Detection/Response
Monitoring: what conditions, when Detection: manual, automatic, alarms; who is notified? Response:
Who, what, when How contacted Logistics and SLA

Failure in any area breaks the chain of response

11

Common Intrusion Techniques

Piggy-backing Poor housekeeping of access privileges
Terminated employees Transferred employees

I have a delivery for Mr./Ms. X. Concealment within interior protected areas Exploitation of known system flaws
12

Incident Management:
How to Get a High ROI

13

Incident Management
Players Response Management Debriefing and Documentation Follow-up: Implementing Adjustments

14

Players
BC should be taking the LEAD IT Facilities: Internal, Building Management, + vendors, contractors Physical Security: Internal, Building Management, + external contractors

15

Response Management (1)

Get complete information:
equipment/environment state relevant time/day data understandable alarms supporting systems

Notify the most knowledgeable person for this case within the appropriate time interval Eliminate response single-points-of failure through cross-coverage and training.

16

Response Management (2)

Who is in charge of logistics procedure?
BC should design, implement, and maintain, and should be involved in every incident. Should NEVER be IT, Facilities, or Physical Security alone.

Analysis and problem resolution leads to design of the fix. The fix is then applied by the appropriate party, but...
THE FIX DOES NOT END HERE!
17

Debriefing and Documentation (1)

Formal post-incident meeting Led by BC; includes all fix participants + others Cause analysis:
Proximate cause Contributing causes Underlying causes

Fix design for all causes

18

Debriefing and Documentation (2)

BC assigns responsibility for implementation of changes/adjustment to a named person. Date for change completion, including documentation, is agreed upon BC is responsible for follow-up. BC provides a formal, written meeting record to all participants AND their management. BC facilitates any budget or resource allocation necessary to design/implement change.
EFFECTIVE PERFORMANCE OF THIS STEP IS THE ONLY WAY TO MAXIMIZE ROI
19

Follow-up: Implementing Adjustments

BC signs off on correct implementation of change. BC, working with other units, ensures that any necessary training is provided.
ONLY BY EXECUTION OF THIS KIND OF PROCEDURE CAN YOU PREVENT RECURRENCE OF THE SAME INCIDENT.

20

BREAK!!

21

Introduction to Strategic Facilities, Inc.: Dave and Dave

Founded in January 1996 by David A. Sjogren;
David M. DiQuinzio becomes co-owner in 1997. Today SFI is multi-disciplinary and nationwide practice

22

Dave and Dave

DiQuinzio
6+ years at Chase Manhattan Bank - 6+ years. Project Manager (Mechanical /Electrical) at MetroTech Center - Brooklyn, NY 3 years at PRK Associates Critical Facility Engineering Specialists. UPS System Design and Testing, Reliability/Capacity Studies.

Sjogren
11+ years at UPS as IT Facilities Director Ramapo Ridge Data Center Mahwah, NJ Windward Data Center Alpharetta, GA

23

SFI Clients and Projects

Typical Clients

Projects
Site Capacity, Reliability & Ops Analyses Critical Systems Testing & Commissioning Operating Procedures & Programs New Critical Systems Technology Studies Serve as Interim Facilities Department

Hughes State Street Cingular Safeco 1st National Bank of Omaha Salt River Project

24

PHYSICAL INFRASTRUCTURE SECURITY - FROM A CRITICAL FACILITIES GUY

25

PART 1 Overview & Introduction

26

GET WITH THE PROGRAM...

1. Overview & Introduction 2. Facilities, Security, Information Technology and BCP - Risk & Reliability as Common Threads 3. Case Studies - Using Risk & Reliability Language to Improve Coordination among Facilities, Security, IT & BCP
27

PART 2
Facilities, Security, IT & BCP - Risk & Reliability as Common Threads
28

WHAT YOU ALREADY KNOW

Good Things: Card readers and physical access control systems Cameras Locked doors Bad Things: Piggybacking Easy-to-guess passwords Asleep at the console No need to hear that again
29

WHAT YOU MAY NOT KNOW...

Facilities & Security co-dependencies How they affect the enterprise risk picture How formal risk assessment techniques
developed for other industries are emerging as tools to reduce critical facilities risks How all this relates to BCP/DR

UNTIL NOW
30

SO WHAT? WHO CARES?

Poor Facilities/Security/IT/BCP coordination = Wasted resources Risk picture not fully understood Risks not fully addressed
CEOs, CFOs, CIOs, CHAIRMEN AND DIRECTORS CARE ABOUT THESE THINGS...

...AND SO DO REGULATORS
31
Copyright 2004 Strategic Facilities Inc. All rights reserved

3 THINGS TO TAKE AWAY

Coordinate Facilities and Security before
investing in reliability and BCP/DR improvements - or waste your resources How? Get everyone on the same page with common language The language of formal risk assessment techniques does this very well; its worth taking time to learn
32

AND ANOTHER THING...

you dont have to become a risk assessment expert to learn and use the language and get value from risk assessment concepts

HOW DO WE KNOW? BEEN THERE, DONE THAT

33

WHAT LIFE IS LIKE FOR OUR CLIENTS...

34

WHAT THEY DO RESTS ON SUPPORTING SYSTEMS

35
Copyright 2004 Strategic Facilities Inc. All rights reserved

A SHORTFALL IN THE CORE BUSINESSWE CANT HELP

36

WE CANT FIX THIS, EITHER

37
Copyright 2004 Strategic Facilities Inc. All rights reserved

OUR MISSION & PURPOSE: AVOID THIS

38
Copyright 2004 Strategic Facilities Inc. All rights reserved

AERIAL VIEW

39

SOMEWHERE AT THE BASE...

40

SECURITY & FACILITIES

SECURITY NEEDS FACILITIES
Surveillance & Access Control need power Cameras need light Guard force needs decent environment just like
everyone else

FACILITIES NEEDS SECURITY

Extra eyes and ears to for building problems Help screen visiting technicians Reduce tampering with building systems
41

MANAGING CRITICAL FACILITIES: PROJECT CIRCLE

42

FILL IN THE GAPS...

43

WHAT WEVE LEARNED FROM DOING THIS RISK ASSESSMENT LESSONS

RISK

Probability that something bad will happen? Variable #1 - FREQUENCY How bad if / when it does? Variable #2 - SEVERITY Its TWO DIMENSIONAL
44

THE RISK PICTURE

45

WHAT TO ACT ON?

46

ACCEPTANCE CURVE

47

IN YOUR CASE, PERHAPS...

48

BUT FOR SOMEONE ELSE...

49

WHERE WE SEE PROBLEMS

50

WHAT SEEMS TO WORK

51
Copyright 2004 Strategic Facilities Inc. All rights reserved

MORE LESSONS
RELIABILITY
What is the probability that a system will

operate correctly? Over what mission time? Severity of failure is part of the risk conversation, not the reliability conversation Duration of failure is also a separate variable Duration is also part of the risk conversation and also NOT part of the reliability conversation
52

EMPIRICAL LIFETIME

53

THE GOAL...

54

WORTHWHILE? MAYBE...

55

MAYBE NOT...

56
reserved

LESSONS III
MORE RELIABILITY
Can be expressed as Mean Time To Failure
(MTTF) MTTF is OK, but lacks mission time context Probability of success over mission time does a better job of depicting the situation Probability of failure = 1 - (Probability of success) Duration of failure known as Mean Time To Restore, or MTTR Probability of success or failure of an individual system does not depend on MTTR
57

LESSONS IV
AVAILABILITY

Different concept entirely Comparison of MTTF & MTTR Mathematically: MTTF / (MTTF + MTTR) Grossly misused throughout industry in the form of nines; usually, MTTF >> MTTR Misuse due to two-dimensional nature Does not mean that MTTR and Availability do not matter
58

AVAILABILITY - IT DEPENDS

59

RELIABILITY VS. AVAILABILITY

System A
1 failure; end of year 9 Down entire year 10

System B
4 failures, avg. 1/2.5 yrs
Down 5 min each time

Reliability: MTTF = 9

yrs; only 1 sample Availability: 90 % More reliable (?), less available Less certain

Reliability: MTTF = 2.5 yrs,

4 samples Availability: 99.996 % More available, less reliable More certain

60

LESSONS V
HOW SYSTEMS FAIL
Independently due to internal, local failure Due to a common cause effect; that is,
something that affects entire system at once Natural or man-made disaster, for example; tend to be high severity, low frequency Human error is most frequent common-cause failure mode; often less severe than disasters

Applies to Facilities, Security, IT, BCP

61

WHERE DOES ALL OF THIS COME FROM?

Probabilistic Risk Assessment - known as PRA Taught at MIT, Stanford, etc. Initiated by German rocket scientists during

WWII to explain V2 rocket failures Brought to USA by Werner von Braun and his associates Refined by many over the years since

62

PRA ACCOMPLISHMENTS
Aviation: Odds of you NOT getting off a
commercial airliner in one piece are now less than one in one million Nuclear Power: USA output is up 20% and reportable incidents down despite older fleet and no new plants since early 80s Slow and steady improvement, not gee-whiz breakthroughs Very limited application in Facilities arena
63
Copyright 2004 Strategic Facilities Inc. All rights reserved

PART 3
Case Studies:
Using Risk & Reliability Language to Improve Coordination among Facilities, Security, IT & BCP
64

CASE #1 - WHO CAN GO INTO THE DATA CENTER

Client is a hedge fund; they develop and use

proprietary applications to execute trades. Frequent hacker target; security is tight. Big battle over who has access to data center. Facilities team is responsible for power and cooling in there! Facilities team members are not employees: Should they be allowed in?
65

CASE #1 - WHO CAN GO INTO THE DATA CENTER

Result for Case #1: Debate spurred client to grow in-house staff and reduce presence of non-employees while expanding the ability to grant and track physical access privileges.

66

CASE #2 - OPERATOR TRAINING FOR NEW SITE

Client was considering building a new facility
specifically designed as a data center. Limited pool of building engineers to transfer to new facility; mostly air conditioning guys. Client is late in recognizing problem and planning for commencing operations. How should the client prepare to operate and how much should they spend to do it?
67
Copyright 2004 Strategic Facilities Inc. All rights reserved

CASE #2 - OPERATOR TRAINING FOR NEW SITE

Result for Case #2: Client saw the folly of spending $25 million on a new site and risking outage due to human error; instead implemented a full program of procedure writing and training to reduce errors.
68
Copyright 2004 Strategic Facilities Inc. All rights reserved

CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS

Client agreed to lease space in former co-lo site taken

over by landlord. Landlord has never managed critical facilities before. Power and cooling status info goes to NOC via HP OpenView and other means systems. NOC personnel are trained in only IT, not Facilities. Analysis finds AVAILABILITY too low What should the landlord do?
69

CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS

Case #3 Results: Landlord contracted for fast emergency response, added auto-paging capability, and trained NOC staff to relay vital information to qualified responder en route.

70

CASES #4, 5, etc....

ANY SUGGESTIONS?

71

RECOMMENDATIONS & CONCLUSIONS

1. When confronting a risk, ask yourself:
How often is it likely to occur? How bad will its impact be if it does occur? Is it likely to occur more or less frequently? Is its likely impact more or less severe than others?

2. Then, compare this risk to others you face:

3. Apply this approach consistently across IT, Facilities and Security

72

MORE RECOMMENDATIONS & CONCLUSIONS

4. When evaluating a risk reduction measure:
What does it require of other sectors - e.g., if its a Facilities measure, what do IT and Security need to do to make it work? Who will do those things and how? Same question for Security and IT initiatives What other exposures are out there? Who should address them?
73
Copyright 2004 Strategic Facilities Inc. All rights reserved

5. Then, look across sectors...

Q+A
74

Contact us at:
David M. DiQuinzio (973) 903-3699
DaveD@strategicfacilities.com

Kathleen A. Lucey (516) 676-9234

K.Lucey@montaguetm.com

75

LATER, DUDES!!!

76